[perso/Immae/Projets/Puppet.git] / modules / profile / manifests / postgresql / ssl.pp

define profile::postgresql::ssl (
  Optional[String]  $cert                 = undef,
  Optional[String]  $key                  = undef,
  Optional[String]  $certname             = undef,
  Optional[Boolean] $copy_keys            = true,
  Optional[Boolean] $handle_config_entry  = false,
  Optional[Boolean] $handle_concat_config = false,
  Optional[String]  $pg_user              = "postgres",
  Optional[String]  $pg_group             = "postgres",
) {
  $datadir = $title

  file { "$datadir/certs":
    ensure  => directory,
    mode    => "0700",
    owner   => $pg_user,
    group   => $pg_group,
    require => File[$datadir],
  }

  if empty($cert) or empty($key) {
    if empty($certname) {
      fail("A certificate name is necessary to generate ssl certificate")
    }

    ssl::self_signed_certificate { $certname:
      common_name  => $certname,
      country      => "FR",
      days         => "3650",
      organization => "Immae",
      owner        => $pg_user,
      group        => $pg_group,
      directory    => "$datadir/certs",
    }

    $ssl_key  = "$datadir/certs/$certname.key"
    $ssl_cert = "$datadir/certs/$certname.crt"
  } elsif $copy_keys {
    $ssl_key  = "$datadir/certs/privkey.pem"
    $ssl_cert = "$datadir/certs/cert.pem"

    file { $ssl_cert:
      source  => "file://$cert",
      mode    => "0600",
      links   => "follow",
      owner   => $pg_user,
      group   => $pg_group,
      require => File["$datadir/certs"],
    }
    file { $ssl_key:
      source  => "file://$key",
      mode    => "0600",
      links   => "follow",
      owner   => $pg_user,
      group   => $pg_group,
      require => File["$datadir/certs"],
    }
  } else {
    $ssl_key  = $key
    $ssl_cert = $cert
  }

  if $handle_config_entry {
    postgresql::server::config_entry { "ssl":
      value => "on",
    }

    postgresql::server::config_entry { "ssl_cert_file":
      value => $ssl_cert,
    }

    postgresql::server::config_entry { "ssl_key_file":
      value => $ssl_key,
    }
  } elsif $handle_concat_config {
    concat::fragment { "$datadir/postgresql.conf ssl config":
      target  => "$datadir/postgresql.conf",
      content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
    }
  }

}
Commit	Line	Data
c53ac3f8	1	define profile::postgresql::ssl (
d2f031ec IB	2	Optional[String] $cert = undef,
	3	Optional[String] $key = undef,
	4	Optional[String] $certname = undef,
	5	Optional[Boolean] $copy_keys = true,
	6	Optional[Boolean] $handle_config_entry = false,
	7	Optional[Boolean] $handle_concat_config = false,
	8	Optional[String] $pg_user = "postgres",
	9	Optional[String] $pg_group = "postgres",
c53ac3f8	10	) {
d2f031ec	11	$datadir = $title
c53ac3f8 IB	12
	13	file { "$datadir/certs":
	14	ensure => directory,
	15	mode => "0700",
	16	owner => $pg_user,
	17	group => $pg_group,
d2f031ec	18	require => File[$datadir],
c53ac3f8 IB	19	}
	20
	21	if empty($cert) or empty($key) {
	22	if empty($certname) {
	23	fail("A certificate name is necessary to generate ssl certificate")
	24	}
	25
	26	ssl::self_signed_certificate { $certname:
	27	common_name => $certname,
	28	country => "FR",
	29	days => "3650",
	30	organization => "Immae",
	31	owner => $pg_user,
	32	group => $pg_group,
	33	directory => "$datadir/certs",
	34	}
	35
d2f031ec IB	36	$ssl_key = "$datadir/certs/$certname.key"
d2f031ec IB	37	$ssl_cert = "$datadir/certs/$certname.crt"
c53ac3f8 IB	38	} elsif $copy_keys {
	39	$ssl_key = "$datadir/certs/privkey.pem"
	40	$ssl_cert = "$datadir/certs/cert.pem"
	41
	42	file { $ssl_cert:
	43	source => "file://$cert",
	44	mode => "0600",
	45	links => "follow",
	46	owner => $pg_user,
	47	group => $pg_group,
	48	require => File["$datadir/certs"],
	49	}
	50	file { $ssl_key:
	51	source => "file://$key",
	52	mode => "0600",
	53	links => "follow",
	54	owner => $pg_user,
	55	group => $pg_group,
	56	require => File["$datadir/certs"],
	57	}
	58	} else {
	59	$ssl_key = $key
	60	$ssl_cert = $cert
	61	}
	62
d2f031ec IB	63	if $handle_config_entry {
	64	postgresql::server::config_entry { "ssl":
	65	value => "on",
	66	}
c53ac3f8	67
d2f031ec IB	68	postgresql::server::config_entry { "ssl_cert_file":
	69	value => $ssl_cert,
	70	}
c53ac3f8	71
d2f031ec IB	72	postgresql::server::config_entry { "ssl_key_file":
	73	value => $ssl_key,
	74	}
	75	} elsif $handle_concat_config {
	76	concat::fragment { "$datadir/postgresql.conf ssl config":
	77	target => "$datadir/postgresql.conf",
	78	content => "ssl = on\nssl_key_file = '$ssl_key'\nssl_cert_file = '$ssl_cert'\n"
	79	}
c53ac3f8	80	}
d2f031ec	81
c53ac3f8	82	}